<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1468160456567_199323"><span>Chuck,</span></div><div id="yui_3_16_0_ym19_1_1468160456567_199323"><span><br></span></div><div id="yui_3_16_0_ym19_1_1468160456567_199323"><span id="yui_3_16_0_ym19_1_1468160456567_200069">After listening to the Helsinki WG recorded session, I would like to express my concern that data security or system integrity, i.e. unintentional leaks are being treated only in the implementation phase, and according to some, should not even be included in our deliberations. </span></div><div id="yui_3_16_0_ym19_1_1468160456567_199323" dir="ltr"><span id="yui_3_16_0_ym19_1_1468160456567_200305">I believe data security and privacy to be the two main concerns of simple end-users who represent the overwhelming majority of Internet users. RDAP/Next-Gen RDS is an opportunity to build trust, in some cases, to restore it, for millions of people who use the Internet as an appliance, and whose faith in this medium continue to erode, will erode or will never materialize, unless concrete steps are taken, at every turn, to secure the loopholes that leave them feeling vulnerable. </span></div><div id="yui_3_16_0_ym19_1_1468160456567_199323" dir="ltr"><span id="yui_3_16_0_ym19_1_1468160456567_201094">When designing a new system or tweaking an old one, shouldn't security and integrity be at the heart of our activity? As far as I am concerned, data security is a deal breaker and the privacy of PIIs behind gated access a thin consolation for the risk that is not being properly addressed, within the context of heightened responsibilities on the part of those who benefit from the Internet and harvest personally identifying information. </span></div><div id="yui_3_16_0_ym19_1_1468160456567_199323" dir="ltr"><span id="yui_3_16_0_ym19_1_1468160456567_201593">If ICANN cannot tell people how to implement their software, who will? Involuntary data breaches a mere section in the third and last part of our work...this doesn't address evolving realities on the ground. If PIIs have value, people will know it, and it's only a matter of time until they demand more measures be taken to protect what they have no choice - for the time being - but to entrust others with. It is later then we think, especially for Europeans, and their legislators seem to be listening - amid increasing alarm over U.S. hegemony, especially with social media companies. Why not catch the wave ahead of a proliferation of national laws aiming at securing the grasp of data subjects over their PIIs and make positive steps to patch the fort? </span></div><div id="yui_3_16_0_ym19_1_1468160456567_199323" dir="ltr"><span><br></span></div><div id="yui_3_16_0_ym19_1_1468160456567_199323" dir="ltr"><span id="yui_3_16_0_ym19_1_1468160456567_211964">For example, t</span><span style="color: rgb(86, 90, 92); font-family: Arial, sans-serif;" id="yui_3_16_0_ym19_1_1468160456567_202892">he
data portability right included in the European Union General Data Protection
Regulation (GDPR) may significantly alter the relationship between data
subjects and data controllers by making it possible for individuals to manage
their data as a single set of information across different platforms.</span></div>
<div style="margin: 0in 0in 15pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1468160456567_202893"><span style="font-family:"Arial",sans-serif;color:#565A5C" id="yui_3_16_0_ym19_1_1468160456567_202894">For
example, the right might enable data subjects to take their transaction
histories with them when they switch to a new bank, or employees to carry their
employment records when they move to a new job, even if that new job is in
another country.<o:p id="yui_3_16_0_ym19_1_1468160456567_202895"></o:p></span></div>
<div style="margin: 0in 0in 15pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" dir="ltr" id="yui_3_16_0_ym19_1_1468160456567_202896"><span style="font-family:"Arial",sans-serif;color:#565A5C" id="yui_3_16_0_ym19_1_1468160456567_202897">The
overall effect may weaken the hold data controllers have over personal data,
and to force controllers to work with one another, even in cases in which some
controllers might lose out. Already</span><span style="color: rgb(86, 90, 92); font-family: Arial, sans-serif; font-size: 11pt; line-height: 107%;" id="yui_3_16_0_ym19_1_1468160456567_205074"> the right for data subjects to access and receive their
data already exists under the EU Data Protection Directive (95/46/EC). </span><span style="color: rgb(86, 90, 92); font-family: Arial, sans-serif;" id="yui_3_16_0_ym19_1_1468160456567_206782">Article
18 of the GDPR augments the data access right by requiring the data subject's
personal data to be provided “in a structured and commonly used and
machine-readable format” so that it can be provided to an alternative data
controller “without hindrance” from the original controller.</span></div>
<div style="margin: 0in 0in 15pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" dir="ltr" id="yui_3_16_0_ym19_1_1468160456567_206783"><span style="font-family:"Arial",sans-serif;color:#565A5C" id="yui_3_16_0_ym19_1_1468160456567_206784">Under
the GDPR, the data subject can also ask the controller to transmit his or her
data directly to an alternative controller “where technically feasible.”<o:p id="yui_3_16_0_ym19_1_1468160456567_206785"></o:p></span><span style="color: rgb(86, 90, 92); font-family: Arial, sans-serif; font-size: 11pt; line-height: 107%;" id="yui_3_16_0_ym19_1_1468160456567_206871">The right applies to personal data that is processed
on the basis of the data subject's consent or to fulfill a contract. </span></div><div style="margin: 0in 0in 15pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" dir="ltr" id="yui_3_16_0_ym19_1_1468160456567_206783"><span style="color: rgb(86, 90, 92); font-family: Arial, sans-serif;" id="yui_3_16_0_ym19_1_1468160456567_207107">In the future, data subjects might be able to make demands when it comes to data security and system integrity, permissible uses (liability of controllers in case of loss, leak, selling or re-purposing of their PIIs even?). It's only a matter of time. As the value of personal data continues to grow, data subject will be awarded greater ownership rights on their data and greater control over them. So, will it be business as usual, or can we adopt a more forward-looking attitude? </span><br></div><div></div><div id="yui_3_16_0_ym19_1_1468160456567_200071"> </div><div class="signature" id="yui_3_16_0_ym19_1_1468160456567_199284">Nathalie </div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Sunday, July 10, 2016 10:39 PM, "Gomes, Chuck" <cgomes@verisign.com> wrote:<br></font></div> <br><br> <div class="y_msg_container"><div id="yiv7801899585"><style>#yiv7801899585 P {
MARGIN-BOTTOM:0px;MARGIN-TOP:0px;}
</style><div>
<div style="direction:ltr;font-family:Tahoma;color:#000000;font-size:10pt;">
<div>Ayden,</div>
<div> </div>
<div>We hnave discussed your input on the leadership list and the following points were made that I think are worth noting:</div>
<div> </div>
<div>". . . the board/GNSO group that developed the process framework explicitly considered whether to split this PDP into multiple PDPs to separately address more specific questions, and firmly decided upon a single PDP which required (at minimum) all of the
questions to be considered.<br clear="none">
<br clear="none">
"When reaching this decision, the board/GNSO group acknowledged that one large PDP would be very complex and thus more difficult to resource and manage. It did look at spinning off for example a PDP on privacy. However, it was felt that the questions identified
in the charter were so tightly inter-related that they could not be effectively progressed independently, and that reaching consensus would require striking a balance between the interests of diverse groups with very different priorities. This is why the charter's
phase 1 requires all questions to be considered "simultaneously" by a single group before making an initial recommendation. This is also why the process framework enumerates a list of questions to be evaluated by the GNSO council at key decision points. The
intent was to help ensure that sufficient progress is made in considering all questions and concerns, and that none be pushed to the side or left behind for later consideration."</div>
<div> </div>
<div>"<span style="FONT-SIZE:11pt;">In addition to (the) insights on the process framework, from a practical perspective – an Initial Report comes with certain requirements of what needs to be included and a minimum 40-day
public comment period so five Initial Reports would create a significant amount of work in addition to a minimum of 200 days of public comment period, and in the end, all the recommendations would need to be bundled up into one overall Initial Report anyway
which would also need to go out for public comment. From the process framework as well as WG discussions, it (seems) clear that all these issues are interlinked so it would likely be very difficult (for) the community (to) able to comment on these standalone
Initial Reports without having information on how the other issues are addressed. (On a side point) it may be helpful to move away from the term Initial Report as it comes with a number of minimum requirements which may not be relevant for what the WG is trying
to achieve."</span></div>
<div><span style="FONT-SIZE:11pt;"></span> </div>
<div><span style="FONT-SIZE:11pt;">Considering these points, I really believe that we should continue with the direction as proposed but we will discuss this further in our WG meeting Tuesday.</span></div>
<div><span style="FONT-SIZE:11pt;"></span> </div>
<div><span style="FONT-SIZE:11pt;">Chuck</span></div>
<div><span style="FONT-SIZE:11pt;"></span> </div>
<div class="yiv7801899585yqt4162074902" id="yiv7801899585yqt23783"><div style="FONT-SIZE:16px;FONT-FAMILY:Times New Roman;COLOR:#000000;">
<hr tabindex="-1">
<div id="yiv7801899585divRpF779513" style="DIRECTION:ltr;"><font color="#000000" size="2" face="Tahoma"><b>From:</b> Ayden Férdeline [icann@ferdeline.com]<br clear="none">
<b>Sent:</b> Saturday, July 09, 2016 3:44 PM<br clear="none">
<b>To:</b> Gomes, Chuck<br clear="none">
<b>Cc:</b> gnso-rds-pdp-wg@icann.org<br clear="none">
<b>Subject:</b> Re: [gnso-rds-pdp-wg] Latest Revision to Possible Approach to Determining Consensus<br clear="none">
</font><br clear="none">
</div>
<div></div>
<div>
<div dir="ltr">Hi, all-
<div><br clear="none">
</div>
<div>Thank you for sharing this document, Chuck. Having reflected on its contents, I have two suggested revisions. Firstly, I would like to table the idea of having five initial reports, and secondly I would like to re-state my opposition to the inclusion of
use cases.</div>
<div><br clear="none">
</div>
<div>Five initial reports would allow us to more thoroughly and fairly consider each of the fundamental questions set out in the working group charter. I appreciate that on the surface this suggestion may sound radical, but I believe a more incremental approach
would be the most prudent means through which we could fairly and justly address each of these important, initial charter questions. As Sana noted a few weeks ago, different parts of our work plan are inevitably going to weigh differently on the various stakeholders
involved in this working group, so proceeding in a slightly slower fashion will allow us all to be fed new information, ideas, and perspectives. I worry that if we move too quickly, possibly as a result of misunderstandings, we may unintentionally upset the
RDS landscape and impose significant costs on some stakeholders.</div>
<div><br clear="none">
</div>
<div>My suggestion is to consider one charter question per initial report, followed by a public consultation exercise. This way, we can better communicate to the wider ICANN community our progress – and it will be much easier for others to comment when we ask
them to consider a small bite-sized chunk of our work, rather than having to familiarise themselves with every piece of the puzzle. I remember in Helsinki we spoke of wanting to have the GAC involved sooner and more frequently – this might be a helpful means
of doing just that.</div>
<div><br clear="none">
</div>
<div>My suggested order for the five reports would be: privacy -> purpose -> data elements -> accuracy -> gated access. I would like to suggest we consider privacy first, because until such time as we have a privacy framework to work within it will be difficult
(if not impossible?) to define how limited the RDS’ purpose can or must be. And only once we know the purpose of the RDS can we determine the data elements which need to be collected. </div>
<div><br clear="none">
</div>
<div>Finally, in regards to point 3) c) iii) of version 13 of the work plan, I would just like to have it on the record that I remain opposed - like I was at our face-to-face meeting in Helsinki - to the consideration of use cases in our deliberations. I am
concerned that use cases may legitimise illegitimate uses of the RDS because the burden of proof required to strike one out is surely going to be high. If we go down this route of considering use cases, however, I would like to respectfully suggest that we
also consider misuse cases – they may help us identify negative scenarios that could arise as a result of the RDS.</div>
<div><br clear="none">
</div>
<div>Thank you for considering these two proposals.</div>
<div><br clear="none">
</div>
<div>Best wishes,</div>
<div><br clear="none">
</div>
<div>Ayden</div>
<div><br clear="none">
</div>
<div>P.S. This is my first ICANN working group, so I am still learning about how we initiate PDPs, develop work plans, consider issues, and ultimately reach rough consensus. I say this because it is very possible I have misunderstood something or do not appreciate
the repercussions that could arise from my suggested changes to the work plan. If that is the case, I am happy to be corrected :-). However, I do think that there are capacity constraints. There are only so many issues we can work on at once. The perception
I have at the moment, of the many emails I receive from this list, are that we are frequently being reminded that we are ahead of ourselves. I have been guilty of this too. Considering each charter question, one at a time, would give us focus and direction.
</div>
</div>
<div class="yiv7801899585gmail_extra"><br clear="none">
<div class="yiv7801899585gmail_quote">On 8 July 2016 at 18:04, Gomes, Chuck <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:cgomes@verisign.com" target="_blank" href="mailto:cgomes@verisign.com">cgomes@verisign.com</a>></span> wrote:<br clear="none">
<blockquote class="yiv7801899585gmail_quote" style="PADDING-LEFT:1ex;MARGIN:0px 0px 0px 0.8ex;BORDER-LEFT:#ccc 1px solid;">
<div lang="EN-US">
<div>
<div class="yiv7801899585MsoNormal">Based on the results of our work in Helsinki, the Possible Approach to Determining Consensus was revised. Changes made since the last version are redlined to make them easy to find.<u></u><u></u></div>
<div class="yiv7801899585MsoNormal"><u></u><u></u> </div>
<div class="yiv7801899585MsoNormal">If possible, please try to review the edits made before our WG call next Tuesday. It will be a main item on our agenda.<span class="yiv7801899585HOEnZb"><font color="#888888"><u></u><u></u></font></span></div>
<span class="yiv7801899585HOEnZb"><font color="#888888">
</font></span><div class="yiv7801899585MsoNormal"><u></u><u></u> </div>
<div class="yiv7801899585MsoNormal">Chuck<u></u><u></u></div>
</div>
</div>
<br clear="none">
_______________________________________________<br clear="none">
gnso-rds-pdp-wg mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br clear="none">
</blockquote>
</div>
<br clear="none">
</div>
</div>
</div></div>
</div>
</div></div><br><div class="yqt4162074902" id="yqt83225">_______________________________________________<br clear="none">gnso-rds-pdp-wg mailing list<br clear="none"><a shape="rect" ymailto="mailto:gnso-rds-pdp-wg@icann.org" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br clear="none"><a shape="rect" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></div><br><br></div> </div> </div> </div></div></body></html>